Data Processing Agreement

This DPA is provided for school and business procurement teams who require a formal data processing agreement before purchasing NeuroInclusive products or services.

What this covers

  • Processing of staff/pupil assessment data via the NeuroInclusive platform
  • Campaign survey responses (anonymous and named)
  • Evidence items uploaded to the Evidence Vault
  • AI-generated reports and their data handling
  • Sub-processor details (Supabase, Stripe, Anthropic, Cloudflare)
  • Data retention, deletion, and breach notification procedures

Key commitments

  • All data stored in UK/EU data centres (Supabase EU region)
  • AI processing uses Anthropic (US, with Standard Contractual Clauses)
  • No child-identifying information is sent to AI providers
  • Campaign responses are anonymous by default
  • Data deletion within 30 days of request
  • Breach notification within 72 hours (ICO) and without undue delay (data subjects)
  • Annual security review and DPA update

Sub-processors

  • Supabase Inc. — Database, authentication, file storage (EU region, SOC2 Type II)
  • Stripe Inc. — Payment processing (PCI DSS Level 1)
  • Anthropic PBC — AI report generation (US, SCCs in place, no data retention)
  • Cloudflare Inc. — CDN, DDoS protection, Pages hosting (EU presence)
  • Postmark (ActiveCampaign) — Transactional email delivery

Last updated: March 2026 · Version 1.0 · For questions: admin@neuroinclusive.uk

If you require a countersigned copy or specific amendments for your procurement process, please contact us.

'); w.document.close(); w.print(); }